A new Minnesota law (H.F. No. 1758), enacted May 21, 2007, prohibits any business that accepts credit, debit or stored value cards in Minnesota from retaining certain card data after a transaction has been authorized. The law also permits the financial institutions that issue these cards to recover the costs of a security breach from businesses that retain prohibited data in violation of the law. The restrictions on data retention take effect August 1, 2007; the provisions regarding liability for data breach take effect on August 1, 2008. This new law reinforces the need for all businesses that handle sensitive personal information to have a security plan in place to protect that information and to respond in the event of a data breach.
Under the new law, a person or entity doing business in Minnesota is prohibited from retaining the card security code, the cardholder’s PIN number, or the contents of a card’s magnetic stripe after a card transaction has been authorized (although PIN numbers may be stored for up to 48 hours). Significantly, the law also makes a business liable if its card processor retains prohibited data. If a business, or that business’s card processor, retains prohibited card data and suffers a security breach, the financial institutions that issued the cards may sue the business to recover the costs of the breach. Such costs can include the financial institution’s cost to cancel and reissue cards, to close and reopen related accounts, to reimburse cardholders for unauthorized transactions, and to notify cardholders affected by the breach. The financial institution may also recover legal damages paid to affected cardholders.
The new law was introduced in response to recent data breaches at certain nationwide retailers that compromised millions of credit and debit cards and clarifies who is liable for the cost associated with the reissuance of such compromised cards. Similar legislation has been proposed in at least five other states (California, Connecticut, Illinois, Massachusetts and Texas) and in the U.S. House of Representatives. In addition to the liabilities they may incur under such new laws, merchants who do not adequately protect sensitive card data may face enforcement action by the Federal Trade Commission, which considers inadequate security an “unfair trade practice.”
The new laws on liability are part of a general trend towards increasing protection of sensitive consumer data in an effort to prevent identity theft. Some 35 states, including Minnesota, now have laws requiring businesses that own or use personal information (e.g., a consumer’s name in combination with social security number, driver’s license number or account number) to notify consumers in the event of a data breach that compromises that information.
In light of the new law, any business that accepts credit, debit or stored value cards in Minnesota should take immediate action to ensure that its point-of-sale system does not store prohibited data and that its card processor is in compliance with the law. Anyone who handles sensitive consumer information in the course of their business should also have an effective security plan in place to prevent data breaches and to respond if one occurs. Finally, depending on how a business participates in the issuance, use and processing of credit and debit cards, it would be prudent to review applicable contractual relationships to determine how they are affected by the revised law.